29 results (0.006 seconds)

CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0

11 Jun 2025 — An unauthenticated remote attacker in a man-in-the-middle position can inject arbitrary commands in responses returned by WWH servers and gain arbitrary command execution with elevated privileges. • https://certvde.com/en/advisories/VDE-2025-052 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0

11 Jun 2025 — An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of Cross-Site Request Forgery (CSRF) protection in the Main Web Interface (endpoint event_mail_test). • https://certvde.com/en/advisories/VDE-2025-052 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0

11 Jun 2025 — An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of Cross-Site Request Forgery (CSRF) protection in the Main Web Interface (endpoint tls_iotgen_setting). • https://certvde.com/en/advisories/VDE-2025-052 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 7.8EPSS: 0%CPEs: 13EXPL: 0

27 May 2025 — An unauthenticated remote attacker can exploit a denial-of-service vulnerability in the device's web server functionality by sending a specially crafted HTTP request with a malicious header, potentially causing the server to crash or become unresponsive. • https://certvde.com/en/advisories/VDE-2025-044 • CWE-410: Insufficient Resource Pool •

CVSS: 10.0EPSS: 0%CPEs: 13EXPL: 0

27 May 2025 — The devices are vulnerable to an authentication bypass due to flaws in the authorization mechanism. An unauthenticated remote attacker could exploit this weakness by performing brute-force attacks to guess valid credentials or by using MD5 collision techniques to forge authentication hashes, potentially compromising the device. • https://certvde.com/en/advisories/VDE-2025-044 • CWE-656: Reliance on Security Through Obscurity •

CVSS: 10.0EPSS: 0%CPEs: 13EXPL: 0

27 May 2025 — Due to missing authentication on a critical function of the devices an unauthenticated remote attacker can execute arbitrary commands, potentially enabling unauthorized upload or download of configuration files and leading to full system compromise. • https://certvde.com/en/advisories/VDE-2025-044 • CWE-306: Missing Authentication for Critical Function •

CVSS: 7.8EPSS: 0%CPEs: 13EXPL: 0

27 May 2025 — An unauthenticated remote attacker can exploit input validation in cmd services of the devices, allowing them to disrupt system operations and potentially cause a denial-of-service. • https://certvde.com/en/advisories/VDE-2025-044 • CWE-1287: Improper Validation of Specified Type of Input •

CVSS: 7.8EPSS: 0%CPEs: 13EXPL: 0

27 May 2025 — An unauthenticated remote attacker can exploit insufficient input validation to write data beyond the bounds of a buffer, potentially leading to a denial-of-service condition for the devices. • https://certvde.com/en/advisories/VDE-2025-044 • CWE-787: Out-of-bounds Write •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

05 Mar 2025 — An unauthenticated remote attacker can use hard-coded credentials to gain full administration privileges on the affected product. Un atacante remoto no autenticado puede usar credenciales codificadas para obtener privilegios de administración completos en el producto afectado. • https://certvde.com/en/advisories/VDE-2025-021 • CWE-798: Use of Hard-coded Credentials •

CVSS: 6.4EPSS: 0%CPEs: 18EXPL: 0

14 Dec 2022 — Quanos "SCHEMA ST4" example web templates in version Bootstrap 2019 v2/2021 v1/2022 v1/2022 SP1 v1 or below are prone to JavaScript injection allowing a remote attacker to hijack existing sessions to e.g. other web services in the same environment or execute scripts in the users browser environment. The affected script is '*-schema.js'. Las plantillas web de ejemplo "SCHEMA ST4" de Quanos en la versión Bootstrap 2019 v2/2021 v1/2022 v1/2022 SP1 v1 o inferior son propensas a la inyección de JavaScript, lo qu... • https://cert.vde.com/de/advisories/VDE-2022-056 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •